Krebs on Security

In-depth security news and investigation

‘Project Blitzkrieg’ Promises More Aggressive Cyberheists Against U.S. Banks

Last week, security firm RSA detailed a new cybecriminal project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. RSA’s advisory focused primarily on helping financial institutions prepare for an onslaught of more sophisticated e-banking attacks, and has already received plenty of media attention. I’m weighing in on the topic because their analysis seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.

RSA wasn’t specific about where it got its intelligence, but the report’s finding appear tied to a series of communications posted to exclusive Underweb forums by a Russian hacker who uses the nickname “vorVzakone,” which translates to “thief in law.” This is an expression in Russia and Eastern Europe that refers to an entire subculture of elite criminal gangs that operate beyond the reach of traditional law enforcement. The term is sometimes also used to refer to a single criminal kingpin.

A screen shot posted by vorVzakone, showing his Project Blitzkrieg malware server listing the number of online victims by bank.

In early September, vorVzakone posted a lengthy message announcing the beginning stages of a campaign he dubbed “Project Blitzkrieg.” This was envisioned as a collaborative effort designed to exploit the U.S. banking industry’s lack of anti-fraud mechanisms relative to European financial institutions, which generally require two-factor authentication for all wire transfers.

The campaign, purportedly to be rolled out between now and the Spring of 2013, proposes organizing hacker cells throughout the cybercriminal community to collaborate in exploiting these authentication weaknesses before U.S. banks erect more stringent controls. “The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased,” vorVzakon wrote. A professionally translated version of his entire post is available here.

RSA said the project is being powered by a version of the Gozi Trojan called “Gozi Prinimalka.” The company believes this Trojan is part of family of malware used by a tight-knit crime gang that has stolen at least $5 million from banks already. From its analysis:

“In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang. To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits. The gang and a long list of other accomplices will also reap their share of the spoils, including the money-mule herder and malware developers.

While the campaign is not revolutionary in technical terms, it will supposedly sport several noteworthy features. A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.”

vorVzakone also says the operation will flood cyberheist victim phone lines while the victims are being robbed, in a bid to prevent account holders from receiving confirmation calls or text messages from their banks (I’ve covered this diversionary tactic in at least a couple ofstories). Interestingly, this hacker started discussion threads on different forums in which he posts a video of this service in action. The video shows racks of centrally-managed notebook computers that are each running an installation of Skype. While there are simpler, cheaper and less resource-intensive ways of tying up a target’s phone line, causing all of these systems to call a single number simultaneously would probably achieve the same result. If you don’t see English subtitles when you play the video below, click the “cc” icon in the player to enable them:

THE FIRST RULE OF PROJECT BLITZKRIEG…

vorVzakone’s post has been met with a flurry of curiosity, enthusiasm and skepticism from members of the underground. The skepticism appears to stem from some related postings in which he brags about and calls attention to his credentials/criminal connections, an activity which tends to raise red flags in a community that generally prefers to keep a low profile.

In the following introductory snippet from a homemade movie he posted to youtube.com, vorVzakone introduces himself as “Sergey,” the stocky bald guy in the sunglasses. He also introduces a hacker who needs little introduction in the Russian underground — a well-known individual who used the nickname “NSD” [an abbreviation for the Russian term несанкционированный доступ, or “unauthorized access”] in the mid-2000s, when he claims to have exited the hacking scene.

“Good day to everybody, evening or night, depends on when you are watching me,” the hacker begins, standing in front of a Toyota Land Cruiser. “My name is Serega, you all know me by my nickname “vor v zakone” on the forum. This is my brother, my offline representative – Oleg ‘NSD’. So, what? I decided to meet you, let’s say ‘remotely.’ Without really meeting, right? Now you will see how I live. Let’s go, I will show you something.”

A still shot from a video posted by hacker “vorVzakone”, foreground.

And he proceeds to show viewers around what he claims is his home. But many in the underground community found it difficult to take seriously someone who would be so cavalier about his personal safety, anonymity and security. “This guy’s language and demeanor is that of street corner drug dealer or a night club bouncer, and not of someone who can comprehend what ‘backconnect socks’ or GeoIP is,” remarked one Russian expert who helped translate some of the documentation included in this blog post.

But soon enough, hackers on the forums in which vorVzakone had posted his videos began checking the story, digging up records from Russian motor vehicle agencies indicating that the license plates on the Toyota and other cars in video were registered to a 27-year-old Oleg Vsevolodovich Tolstykh from Moscow. Further, they pointed out, the videos were posted by a youtube user named 01NSD, who also had previously posted Finnish and Russian television interviews with NSD describing various facets of the hacker underground. Indeed, if you pause this 2007 video 22 seconds in, you can see on NSD’s screen that he’s in the midst of a chat conversation with a hacker named vorVzakone.

In response to taunts and ridicule from some in the underground, vorVzakone posted this message on Oct. 6 to a prominent crime forum explaining why he doesn’t worry about going public with his business.

“Hi all

Many saw videos on neighboring forums, where I openly demonstrate my cars, house and face.

What do I want to say?

That if you accurately target customers in the USA while being in Russia then you can fear nothing while living in your country. Except the one thing – you should never expose yourself during заливы [“залив” means “in the process of stealing victim’s money from a bank account”].

I am the obvious example of the fact that you can fear nothing in our country, you can live openly and calm.”

‘INSURANCE FROM CRIMINAL PROSECUTION’

vorVzakone’s apparent calm may also be part of a clever sales pitch for another criminal service he is currently pimping to the Underweb: “Insurance from criminal prosecution” for cybercrime charges. For a deposit of 15,000 rubles (roughly $500), hackers can avail themselves of a service that — in the event that local prosecutors levy cyber criminal charges — will try to bribe officials into scuttling the case. “Full anonymity,” vorVzakone promised hackers who signed up for his insurance program. “The [customer’s] real last name gets known only when this person’s ‘ass is on fire.'”

This incredibly bold offering promises many things to subscribers, including the assignment of an attorney, reachable via a subscriber-specific phone number and PIN code. From there, the attorney meets with police and the accused, and discusses the case with his client.

“If there is no credible evidence, the lawyers put pressure on law enforcement officials, so that the person gets set free; If evidence is falsified, they work with local police internal affair office and local prosecutors. If the evidence is credible, they work with the investigator to “buy out” the accused; If there are “real proofs” of felony, they will try to “buy out” the person from the problem; If they are not successful, we find access to investigator’s management (we have contacts). $40,000 is enough to buy the insured out from investigator’s management. There are also people who are ready to go to prison instead of the subscriber.” [emphasis added].

Subscribers are offered a $10,000 budget to cover attorney travel costs and initial legal (and probably extra-legal) maneuvers on the client’s behalf. The ad also gives us a rough approximation of what it generally costs to bribe or intimidate local law enforcement officials into inaction.

$1,000 is enough to take knowledgeable lawyer to neighboring region by car.

$3000 is enough to fly to any region with two lawyers.

$6,000-$8,000 is enough to involve local police internal affair office to build the case against the police.

$20,000 is enough to buy out the insured from the investigator.

$40,000 is enough to buy the insured out from local police chiefs.

$100,000 is enough to resolve the issue at the highest levels of management or to place some “drop” to prison instead of the insured.

For those interested in reading more, a rough translation of the entire advertisement for the “insurance from criminal prosecution” service is available here.

TAKEAWAYS?

It’s difficult to say whether vorVzakone’s offerings are legitimate, or if he is — as many in the underground apparently fear — an instrument (if not creation) of Russian law enforcement officials. Nevertheless, banks should already be moving toward implementing more stringent authentication controls for customers who want to move money. Unfortunately, many U.S. financial institutions are lagging behind the rest of the world in this regard.

Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen tens of millions of dollars from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it’s becoming increasingly difficult to tell when a system is or is not infected. That’s why I advocate the use of a Live CD approach for online banking: That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like Gozi, your online banking session is protected.

This “insurance” thing definitely sounds like a scam. How many $500 “deposits” are going to support a $10,000 budget for legal services and bribes for how many hackers who are likely to get caught, let alone the higher sums? How many hackers are going to be dumb enough to make a $500 deposit without PROOF that the services are actually available and effective?

It would be smarter for hackers to simply tithe a portion of their earnings from their activities to their own chosen lawyer in advance in anticipation of their getting caught.

As for the planned bank heists, I’ll just note that it sounds like a sting. Even if it’s not, as the Kingpin book showed, cooperation among cybercrooks rarely works out well, at least once it becomes highly organized… Too many c(r)ooks spoil the recipe…

All good points. Not saying it’s real or no, but I could imagine a situation where actually very few of those who take the service ever need it (like many types of insurance in real life), and those that do end up paying more in addition to the retainer (think a costly deductible). Besides, when you are in some stinking prison awaiting trial and you’ve already invested some amount, aren’t you more likely to cough up additional monies in the service you’ve already invested in, as opposed to going through the trouble at that point of finding a new lawyer?

True, but again I’d rather do this with a real personal defense lawyer with a reputation than some guys I don’t know from Adam…

Even if I did know them, how do I know these guys wouldn’t get caught before *I* do? I’m sure there are criminal charges of some sort for “providing insurance to criminals”, let alone guaranteeing bribes…

Bottom line: While a service like that sounds good, the details matter. And I’d have to know every detail of their operation to be convinced – and that would make me a security risk…

Which means the stupidity of the whole concept makes it 1) a scam, or 2) a sting, or 3) just plain stupid.

Full name of the registered owner of both cars is “Олег Всеволодович Толстых” or “Oleg Vsevolodovich Tolstykh”, where “Vsevolodovich is a middle name (patronymic) and “Tolstykh” is the last name.

Also an interesting fact – the leaked DMV records show that Oleg Tolstykh was caught speeding in the more expensive Land Cruiser on 09/05, 09/03, 08/29 (twice), 08/28, 08/22, 06/22 (twice), 06/15, 05/29 (twice), 05/15 (twice), 05/07, etc… This doesn’t count speeding tickets received in Hyundai or other cars.
In the videos “Serega aka vorVzakone” brags about NSD being only the nominal owner of both cars, the fact which I think is contradicted by this record of speeding tickets. Unless, of course, Oleg Tolstykh is his personal driver in addition to being the technical lead of his carding operation. And the guy is a fast driver, no doubt – so many speeding tickets in such a short timeframe looks like quite an astonishing driving record to me

Just wait until Brian begins to learn Chinese (presumably, the Mandarin dialect).

I copied and pasted the URL for this article into the text box at http://translate.google.com, selected From: ‘Russian’ and To: ‘English’ and it worked like a charm.

P.S. Brian, have you given any thought to working with Google to make Google Translate available on your website? This might be beneficial to many of your readers and would likely increase your readership. Perhaps a command button could be configured to take a reader directly from one of your articles to http://translate.google.com where a user can simply select the From: and To: values for translation? Assuming that something like this is possible.

Hah. I am actually learning Mandarin as we speak, although I am still very much in the early stages.

I don’t know that having some Google translate tab on my site is going to help matters. GT is actually a pretty good referrer of traffic to my blog already. As helpful as it has been in helping me to learn Russian, I find the service is still not nearly good enough for me to be comfortable encouraging readers to believe they’ll get a true and accurate translation of what I’m trying to get across.

From what I’ve seen of GT’s translation of most Russian forums and sites, it leaves a lot of meaning and context to be desired. I would be reluctant to endorse any kind of robotranslation of my content given the kinds of mistranslations I’ve seen so far.

On “Vor V Zakone” nickname – The term “Вор в законе” never refers to an organization, it is always an individual. It is a popular subject in russian-speaking culture, very often brought up in mass media, and I never encountered it being used for describing anything but a single individual. “Воры в законе” (multiple of the word “Vor”) may refer to an organized group of them of course. By different estimates there are hundreds or thousands of Thieves in Law and they always build various alliances, affiliations, which obviously results in rivalries. Such rivalries sometimes escalate into “wars”. The arrests and attempted or successful assassinations of prominent Thieves in Law often become top news in Russian media.

BTW, if VVZ is ever apprehended and thrown in jail the fact that he publicly called himself “Vor V Zakone” without being “officially coronated” as such will no doubt be a very big problem for him in jail – it is a grave violation of the rules of that world that is severely punishable. I would definitely try to keep out of jail especially hard if I was him…

I hope the fact that I leave these moronic comments here — even if they are not obviously so to Western readers — and not delete them is proof enough to my regular readers that I don’t censor comments around here. I rarely ever even thumb up or down a comment. The only time I remove comments if if they are inane and completely off-topic; contain excessive profanity; maliciously attack other readers; or link to malware or spammy sites.

I’m already using Linux as my everday operating system. Should I still boot a Live CD for online banking? While there are a lot of java / javascript exploits, aren’t they really just trying to deliver a Windows malware payload?

Using the LiveCD will ensure that any malware currently resident on your Linux system’s HD (or memory) won’t impact or corrupt your financial transaction.

You have to reboot your PC to run the LiveCD, which will clear your RAM. The LiveCD won’t used your HD, so even if you somehow get infected, the infection won’t be saved to disk, and won’t survive in memory when you reboot to get back to your regular Linux environment.

brian u know how much money it is going to cost , to introduce live CD to every person in USA ? billions and billions of dollars .
trust me greedy banksters wont pay that soft of money just cos u may or may not loose some of YOUR hard earned cash ( that your problem if u do ) .

your poor country cant even afford chip and pin never mind live CD . lol

and when/if they do that hakers will move to mobile banking or something else .its a never ending game of a cat and mouse
enjoy the ride .

Why would someone planning such a big criminal project have so many recent speeding tickets? So deliberately over the top and high profile…more like those tickets were added to his record to make him look unlawful. Either that or he is a true doofus who idolizes Kim Schmitz.

So what’s the consensus about this RSA report? Is it, as many of the people posting comments are saying, a sting operation set up by the Russian authorities to trap anyone greedy or unwary enough to sign up for this proposed attack on US banks? It would certainly allow the Russian government to portray itself as a good friend of the American government (and financial system) if the police and/or FSB could arrest all the members of a dangerous hacking group and put them on trial.

Or is this operation what it claims to be – a once-in-a-lifetime opportunity to get rich quick, with a get-out-of-jail guarantee if anyone is caught?

I can see why RSA would be playing this for all it’s worth, but security companies like Trend Micro seem to be taking this seriously. Others appear to be slightly more sceptical, but they obviously have to treat it as a credible threat.

My own impression is that giving out so much information so publicly before the proposed attack makes it less credible. And for the principal hackers to break cover and flaunt themselves in this way is (correct me if I’m wrong) unprecedented.

Pete, did you watch the video? It has more details on the somewhat hardware-intensive approach they seem to have taken.

I think in many cases an intruder in control over a victim’s machine and bank account can check the settings/profile info on that account and see what number is attached to it. That would be the easiest way to know which number(s) to flood.

Pete you still dont understand. The lines arent important for you to dial out on, their more important for your bank to contact you on. Sit-back, read, and watch. You will be smarter tomorrow than you were today.

Regarding the U.S. Air Force’s Lightweight Portable Security LiveCD, there actually are cases where some users would find it to be a better solution than a Puppy Linux Live CD. Ergo, some banks and trading web sites still require the Java plug-in to use their web sites.

As the U.S.A.F. LiveCD ships with the Java plug-in, users needing the plug-in can do their on-line banking and trading activities much more safely with this LiveCD.

thats is exactly what i meant brian .u quote to much this days .get your own life
this all blog is one big quote. without any dissent proof or a facts .most of the the time anyway .
im even afraid to say something here cos u may quote is later .
i think it is a copy write infringement .))

and im sorry about ” nasty remark ” brian , i never meant to offend anyone.its just a way i speak . we like your blog — allot .from Russia with love